MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

18.8.11

Since its appearance in September 2010, Black Hole Exploits Kit had a very positive insight into the criminal environment. Their life cycle is not over yet so it has developed a natural evolution, and so far there are three generations that exist "in the wild".

Black Hole Exploits Kit was developed by who is known under the nickname Paunch. The main screen allows viewing of each component of interest to the attacker. These statistics are classic and more or less all the exploits pack follow the same pattern, because these data provide a specific map on the state of the campaign of infection.

Displays the overall success rate based on the amount and type of operating systems involved, browsers through which ran the operation through scripts, exploits more effective, the geolocation of affected computers and use the side botmasters criminal appeal.

Main Panel in Black Hole Exploits Kit in which the attacker displays all the processed information related to the infected computers.

Its marketing began through specific forums and so on until, under a licensing model with three alternatives. Some interesting facts concerning its marketing are:

The first version was released, in beta (infinite) in September 2010 at a cost very competitive at that time: $1.500 per annual license, $1.000 per semester and $700 license per quarter. Although its design is the same in every generation, the latest version (1.1.0) incorporates a number of features "extras" about the above.

Exploits Full-On Demand

Black Hole Exploits Kit exploitation strategy focuses mainly based on Java and PDF, but always (like ALL Exploit Pack) without neglecting the classic MDAC. The following list represents the exploit that by default has the first of its versions (1.0.0):

The following versions to 1.0.3, but did not add exploits were optimized, for example by combining the exploits to PDF in a single payload. This latest version continued the optimization of the exploits, adding two more to Java and removing IEPeers.

Black Hole Exploits Kit is not limited in this area and incorporates two basic self-defense maneuvers. On the one hand, from the first version incorporates a blacklist to configure a block of IP addresses and URLs to block, as well as import or export the list.

On the other hand, this also includes automation crimeware for checking the integrity of malware spread. In the first version VirTest only through incorporating Scan4you in subsequent generations. Configurable parameters for these options require authentication data for both services associated with the crime area.

The encryption does not escape the range of services, and the same is offered precisely to prevent or hinder the analysis of malicious code propagated, whose value has increased. It costs $50.

Self-defense strategy built into Black Hole Exploits Kit The blacklist is in the "Security" tab, while in "Preferences" are set authentication information for any of the antivirus services ("Virus Check").

Antivirus Check the first version of Black Hole. At that time, the option is simply called "VirTest", then changing to "Virus Check" to include Scan4you.

To protect the source code, like many others, use an obfuscator for PHP by default Black Hole Exploit sKit uses IonCube but we have seen other variants obfuscated PHP-Cryptor.

Cybercriminals affiliates

Affiliates are others botmasters or "user profiles" that use the control panel. This allows the main botmaster manage a vein of alternative business is managed through the resource rent.

Affiliates present in the Black Hole Exploits Kit"exploited". The default user can be used by the main test botmaster. This section displays information of interest limited to the exploits that profile as configured, operating systems and targeted traffic.

Monetization and business scheme

The monetization is mainly based service for rental and sale of individual packages. All fully managed by three cyber criminals who maintain the structure of the criminal enterprise.

The structure of the business is created and managed by three individuals. Each plays a fundamental role in the criminal scheme behind Black Hole Exploits Kit.

The sale of the panels as part of the service (Crimeware-as-a-Service) is carried out through its own infrastructure of these three characters. That is, offenders are generally host an encrypted copy of the packages on servers violated in this case, the service is from its own servers selling combos consisting of domains, hosting and exploit pack.

Each server in the criminal group has implemented generally over 400 domains ready to negotiate, where each domain corresponds to a copy of Black Hole Exploits Kit The costs of this service is:

$ 200 x 1 week

$ 300 x 2 weeks

$ 400 x 3 weeks

$ 500 per month

$ 50 x 24 hour test

Optimized for PDAs

This feature is optimized for viewing via PDA, and to our knowledge is the first to implement it. But the functionality is not limited only to known but also PDA smart phones today. Whereupon the botmaster can manage the intelligence of their botnets through any high-end cell phone.

Display Mode Black Hole Exploits Kit in the form optimized for PDA

When we discover the existence of alternative crimeware criminal, we predicted that security professionals we should take special attention to this Exploit Pack, mainly due to their characteristics. Especially the traffic flow to ensure that offenders have their own bulletproof. We're not wrong!